Re: choosing between ipcop and iptables
From: nunya (slim_at_one.net)
Date: 05/19/05
- Next message: Masked Slacker: "Re: Msn ? Windows Update?"
- Previous message: Chris Cox: "Re: read access on passwd file"
- In reply to: enrio_at_online.no: "Re: choosing between ipcop and iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 May 2005 22:14:57 -0400
On 16 May 2005 14:53:03 -0700, enrio@online.no wrote:
>Hello,
>I had never heard of ipcop before, so I had a look. It appears that
>ipcop is a _distribution_, that is, you dedicate a computer to run just
>that. It is not clear what else you can install on the same computer
>_after_ you install ipcop, but it seems you cannot install ipcop on top
>of another distribution and continue using the other distribution. I
>could be wrong, I did not look very hard.
>
>Iptables is part of any normal distribution. Not unlikely, ipcop uses
>iptables at its heart.
>
>What distribution are you using?
Fedora Core 2
>
>Do you have any special requirements, e.g., are you going to let others
>access your computer without your presence, like when you run a web
>server, or is your computer going to act as a firewall and router for
>other computers as well?
I have no plans to let others access. This is for me to learn in my
own personal environment
>
>Depending on what distribution you have, you might have a program
>called
>
> system-config-securitylevel
>
>Just try running it on the command line, if you have it, it will prompt
>you for the root password. Then it will give you a user friendly
>graphical interface to iptables. This will be sufficient for most
>ordinary users. (Notice: do not confuse running a server like a web
>server, with accessing one, like when you browse the web. The same goes
>for ftp. This tool asks you if you want to access such servers.)
>
>If you do not have it, you are running another distribution than me. In
>that case, you should find the documented tools for your distribution.
>
>You can always do without nifty tools and configure your own solution.
>However, if both the distribution startup scripts and your script try
>to set up iptables, the last one to run its commands wins.
>Check if any of the scripts under /etc/init.d executes iptables. You
>can always use the command
>
> iptables -L -v
>
>to learn what is the current state of your iptables filter setup. If
>nothing has been set up the output will look like this:
>
>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
>Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
>(The number of packets and bytes could be non-zero. This looks so bad
>becaus the lines with "pkts" are the headings of tables that happen to
>be empty. If there is any data below these lines, you do have some
>filter rules set up.)
>
>
>To create yor own script, start here:
>
>http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-5.html
This link was very helpful!!
>
>Just copy the script, use copy-and-paste, but do not include the
>prompts that appear on this web page (i.e., do not include the # that
>starts each line. Where there is two, ##, leave one). Don't worry about
>"not needed if...", unless you made your own kernel, the modules are
>not compiled in. If you try to load the modules twice, the command
>fails, but that is not a problem. Arrange that the script is run during
>each reboot.
>
>To get it take effect the first time, just run the script. If you find
>you want to change the script, learn to clear all tables before you
>re-run the script. Tip: to clear, do
>
> iptables -F
> iptables -X
> iptables -Z
>
>Once you get this to work, stop. But if you want to do more, read the
>rest of Rusty's HOWTO.
>
>Notice: If you want to use your linux box as a firewall and router for
>a small home network with multiple computers, but all the computers
>must share a single IP address that your ISP provides you, then you
>need 'nat'. 'Nat' commands have '-t nat' in them. There is a separate
>howto for that, I think. 'Nat' (network address translation) plays
>tricks with the addresses in the packets as they are forwarded in or
>out of your local network. Sometimes it has to play tricks with port
>numbers too. On your local network, computers do have different ip
>addresses, these are just not visible to the world in this case.
>
>Regards,
>Enrique
THanks for you input. I kept hearing about how linux is so stable and
secure so I just decided to get involved with it and part of my
problem is just learning how things are done. In windows setting up a
firewall was a few mouse clicks. In linux it is a little more
involved, but it appears you have more control. Thanks again for your
help.
- Next message: Masked Slacker: "Re: Msn ? Windows Update?"
- Previous message: Chris Cox: "Re: read access on passwd file"
- In reply to: enrio_at_online.no: "Re: choosing between ipcop and iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
